On Tue, Aug 11, 2009 at 8:16 PM, Mark Ramm<[email protected]> wrote:
> We recently discovered that TurboGears2 ships with quickstart configuration
> that leaves users of it's default user authorization/authentication scheme
> vulnerable to a serious security issue.
> If you are running a TG2 application in production you are strongly
> encouraged to set the cookie salt for the authorization cookie in repoze.who
> to something other than it's default value.
> This is simple enough to do, just set base_config.sa_auth.cookie_secret to
> any secret value you'd like. For example:
> base_config.sa_auth.cookie_secret = "mynewsecret"
> You can also set it in development.ini using a key like:
> sa_auth.cookie_secret = "mysupersecret"
> Failure to do this could leave you vulnerable to someone who knows the
> default cookie secret being able to craft a cookie that allows a user into
> your site without authenticating through the normal mechanism.
> TurboGears 2.0.2 will enforce setting the cookie secret and will refuse to
> run if you have not set that value in your configuration.
Can this be done automatically just like the beaker.session.secret is
set when doing:
paster make-config myapp production.ini
25 beaker.session.secret = ${app_instance_secret}
Thanks,
Lucas
--
Using rsync. How to setup rsyncd.
http://lucasmanual.com/mywiki/rsync
OpenLdap - From start to finish.
http://lucasmanual.com/mywiki/OpenLdap
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
